The '..' Characters Are Not Allowed In The Path Parameter For The MapPath Method

Posted July 20, 2006 at 3:49 PM

Tags: XStandard WYSIWYG

I am covering for someone on vacation was given the task of configuring XStandard on a client site. The web services were not working and when accessed directly, the error they throw is:

The '..' characters are not allowed in the Path parameter for the MapPath method

The client is running off of the ASP version of the web services, not my ColdFusion implementation (again, not my client). This doesn't apply to my ColdFusion version, but, since I do so much Xstandard work, I figure I would post up the reason this happens. It's all about security. If you can put ".." in your MapPath() method, then you can go outside of your web root and I guess that freaks some people out. XStandard PRO needs this though because it uploads files to dynamic paths. So, we must allow ".." characters otherwise, we would never know to where we were uploading.

To remedy this (as taken off of the Fog Creek Software site):

1. Open IIS Manager, right click and choose properties on your [SITE_NAME] virtual directory (or the website root if [SITE_NAME] is installed at the root.
    
2. Click the Home Directory or Virtual Directory tab and choose the 'Configuration' button on that tab.
    
3. Click the Options tab and make sure the "Enable parent paths" setting is enabled.

Now, when accessed directly, the web services say: "Status: Ready".

Post Comment  |  Ask Ben  |  Permalink  |  Print Page

• Add To Del.icio.us
• Add To Digg
• Add to Spurl.net
• Add to Wists
• Add to Simpy
• Add to Newsvine
• Add to BlinkList
• Add to Furl
• Add to reddit
• Add to FARK
• Add to BlogMarks
• Add to Yahoo! My Web
• Add to smarking
• Add to Ma.gnolia
• Add to Segnalo

Reader Comments

Thank you...you are the only person on the web with a solution to this obscure 'gotcha'. I am building ASP sites on my WinXP laptop and then deploying on a Win2003 Server. The newer version of IIS on the server adds this security "feature".

Glad to help.

This site is interesting and very informative, nicely interface. Enjoyed browsing through the site

This problem may also be solved using Request.ServerVariables("APPL_PHYSICAL_PATH") which returns the path to the root folder.
So, if you want to access a file in a parent directory like ../MyFiles/Image.gif it is ok to write

MyPath = Request.ServerVariables("APPL_PHYSICAL_PATH")+"/MyFiles/Image.gif"

I did not know that. Thanks for the hot tip.

Thanks a million! I was having almost the same problem as Neil Laslett: site developed for use, and working perfectly, on XP, was playing up when I tried to move it to Vista.

Great fix.
It must be horrible (not saying this is what happened) when you have to go fill in for someone, and find the way they do things is totally wrong. And you have to fix all of their misnomers, so that they probably receive the praise for things working 'so well' when they get back.
I've had many a time a situation like that. Well, especially in the corporate environment. At least now I work for myself, but it can still happen with some contracts.

Thanks for this post! =)

Nice! Miojo Solution! Thanks!

Post Comment  |  Ask Ben

Post A Comment

Please review the following issues:

Author Name:
Author Email:
Author Website:
Comment:	Formatting: <strong>bold</strong> <em>italic<em>
	Remember my information
	Subscribe to entry *
	Send me a copy of this comment (as part of the comment thread)

 

* If you subscribe, any new posts to this thread will be sent to your email address.